bugzilla-daemon at netfilter.org
2019-Oct-09 11:27 UTC
[Bug 1370] New: iptables-restore-translate
https://bugzilla.netfilter.org/show_bug.cgi?id=1370
Bug ID: 1370
Summary: iptables-restore-translate
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: tad1073 at gmail.com
Created attachment 571
--> https://bugzilla.netfilter.org/attachment.cgi?id=571&action=edit
Untranslatable Rules
There are some rules could not be translated and I don't know enough about
nftables to translate them by hand, could I get some help with those rules?
# -t mangle -A PREROUTING -p tcp -m tcp --sport 53 -j TOS --set-tos 0x04/0xff
# -t mangle -A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos
0x10/0xff
# -t mangle -A POSTROUTING -d 199.201.233.88/32 -p tcp -j ECN --ecn-tcp-remove
# -t mangle -A POSTROUTING -p tcp -m tcp --dport 5353 -j TOS --set-tos
0x00/0xff
# -t mangle -A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos
0x10/0xff
# -t filter -A INPUT -m recent --update --seconds 300 --hitcount 1 --name
DEFAULT --mask 255.255.255.255 --rsource -j DROP
# -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
# -t filter -A FRAG_UDP -p udp -f -m recent --set --name DEFAULT --mask
255.255.255.255 --rsource -j DROP
# -t filter -A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
# -t filter -A IN_SANITY -p tcp -m tcp --tcp-option 64 -j DROP
# -t filter -A PZERO -p tcp -m tcp --dport 0 -m recent --set --name DEFAULT
--mask 255.255.255.255 --rsource -j DROP
# -t filter -A RABPSCAN -p tcp -m tcp --dport 1 -m recent --set --name DEFAULT
--mask 255.255.255.255 --rsource -j DROP
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191009/aae2273f/attachment.html>
bugzilla-daemon at netfilter.org
2019-Oct-09 11:31 UTC
[Bug 1370] iptables-restore-translate
https://bugzilla.netfilter.org/show_bug.cgi?id=1370 --- Comment #1 from Thomas <tad1073 at gmail.com> --- I can manage add rule ip mangle PREROUTING tcp sport etc... but the rest I don't know. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191009/55a7c89c/attachment.html>
bugzilla-daemon at netfilter.org
2019-Oct-11 13:32 UTC
[Bug 1370] iptables-restore-translate
https://bugzilla.netfilter.org/show_bug.cgi?id=1370 --- Comment #2 from Thomas <tad1073 at gmail.com> --- add rule ip mangle prerouting tcp sport 512:65535 jump tos set tos 0x10/0xff add rule ip mangle postrouting ip daddr 63.251.212.130/32 tcp jump ecn ecn tcp remove add rule ip mangle postrouting ip daddr 199.201.233.88/32 jump ecn tcp remove Is this how to translate those iptables rules to nftables? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191011/c6490df3/attachment.html>